APPLIED/Cmt [Focal]: [SRU Focal,Jammy,Lunar 0/1] Disable CONFIG_GDS_FORCE_MITIGATION
Roxana Nicolescu
roxana.nicolescu at canonical.com
Mon Aug 14 08:12:30 UTC 2023
On 11/08/2023 16:38, Thadeu Lima de Souza Cascardo wrote:
> BugLink: https://bugs.launchpad.net/bugs/2031093
>
> [Impact]
> When booting linux with Gather Data Sampling mitigations without updated
> microcode on an affected CPU, AVX will be disabled. This will cause programs
> connecting to https using gnutls on Jammy to break, including apt and git.
>
> [Test case]
> git clone https://git.launchpad.net/~canonical-kernel-team/+git/autotest-client-tests
> Cloning into 'autotest-client-tests'...
> error: git-remote-https died of signal 4
>
> dmesg:
> [ 806.072080] traps: git-remote-http[2561] trap invalid opcode ip:7fa2e7dac44a sp:7ffed6796480 error:0 in libgnutls.so.30.31.0[7fa2e7c85000+129000]
>
> Works fine with the mitigation disabled by default.
>
> [Potential regressions]
> Users booting on affected parts without microcode updates will be subject
> to Gather Data Sampling attacks (which can be done by local untrusted
> attackers), which may leak confidential data, including keys.
>
> [Fix]
> Fix is to disable CONFIG_GDS_FORCE_MITIGATION by default. This has only
> been applied so far on Focal, Jammy and Lunar, hence only sending for those.
>
>
> Thadeu Lima de Souza Cascardo (1):
> UBUNTU: [Config]: disable CONFIG_GDS_FORCE_MITIGATION
>
> debian.master/config/annotations | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Applied to focal:master-next, but I had to adjust the patch.
`cranky fdr clean updateconfigs` complained about 2 things. I had to
also add 'i386': 'n' in the annotation rule, and
'CONFIG_GDS_FORCE_MITIGATION=n' is not correct, I replaced it with '#
CONFIG_GDS_FORCE_MITIGATION is not set'.
Roxana
More information about the kernel-team
mailing list